Death By Hacking: Tomorrow's IT Worry?

Medical device software vulnerabilities and cyber threats raise important new liability questions for CIOs and CISOs.

Remote Patient Monitoring: 9 Promising Technologies

(click image for larger view)

Technology has permeated virtually every aspect of our lives. That has many benefits and some negatives. But it also means the United States, and the world, have become highly dependent on technology. And as that dependence grows, so does our vulnerability to system failures and cyber attacks.

This year, cybersecurity experts forecast that in 2013, nation-sponsored cyber warfare will go mainstream, and some believe certain cyber attacks will lead to actual deaths.

A look at the role technology and software play in the healthcare industry illustrates why this is no longer an idle threat. And the healthcare industry is not alone. But it also raises new concerns that manufacturers whose products depend on software could face charges of criminal negligence, if they don't take product vulnerabilities more seriously.

The United States is the largest healthcare market in the world. Varying reports suggest that over half the medical devices sold in the U.S. rely on software. Jay Radcliffe, a diabetic patient, was among the first to show how hackers could scan for vulnerable insulin pumps from hundreds of feet away and force the medical device to dispense a lethal dose of insulin. That got the attention of the Department of Homeland Security, government regulators as well as many organizations in the medical community.

Last year the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center issued an unclassified -- for official use only -- document calling attention to the potential impact of cyber threats on the multi-trillion dollar healthcare industry. It warned healthcare organizations how "failure to implement a robust security program will impact the organization's ability to protect patients and their medical information from intentional and unintentional loss or damage."

While some glanced over this statement, other recognized that "protect patients" means protect their lives.

DHS is not the only one calling attention to the massive cybersecurity issue. The Food and Drug Administration, which regulates medical devices, issued a warning in June to medical device manufacturers and healthcare institutions and providers saying it has learned of "cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations."

"In a world in which communication networks and medical
devices can dictate life or death, these systems, if compromised, pose a significant threat to the public and private sector," the document stated. Other government and private sector organizations have also expressed growing concerns surrounding potential vulnerabilities of medical devices on medical IT networks.

All this combines to paint a clear picture of the risk; a risk that must be addressed immediately given all that is at stake.

When you examine the software used in medical devices, even non-technical observers can see the massive risk that comes with patching. Cybersecurity experts have long warned about how critical it is to apply software code fixes in a timely manner to address known vulnerabilities in software. Forget Patch Tuesdays for medical devices and systems! There are stringent testing requirements that are applied when changes/modifications are made to medical devices and systems.

The FDA has developed an enhanced risk-based validation approach and has issued guidelines on this approach. Based on its definition, validation requires establishing, using objective evidence, that a process consistently produces a result or that a product meets its predetermined specifications.

Importantly, if a software patch is applied to the underlying operating system of a medical device or system, it must be retested to obtain "objective evidence" that the device or system is functioning properly and meets the predetermined specifications.

The additional costs of applying the patches and updates and the revalidation of device/system software would be passed along to the owner/operator of the medical device and system. In most cases, that would require a new maintenance agreement between the manufacturer or service provider as well as the device owner/operator. All that adds up to time, cost and a delay in patching all the vulnerabilities discovered since the device/system was designed or last updated.

ItGÇÖs interesting to read about this other aspect of hacking and not only about the protection of patient health information and patient demographic information. I really hadnGÇÖt given it much thought before but this is actually kind of scary. The thought that a hacker, or anyone wishing harm upon somebody else, could essentially remotely hack into a machine and provide lethal doses is very scary. It makes you skeptical of the machines that are there to supposedly save your life.

An acquaintance of mine went through a heart transplant. Post surgery there was trouble with the technology in an external box and after weeks of hassles, with untrained nurses who had no idea of what was wrong, finally this guy opened up the electronics and rewired them when no one was around! Who knows what would have happened had he not hacked it...